Banner image of Minisign

Minisign

We look at “Minisign – A dead simple tool to sign files and verify signatures." You can use Minisign as an alternative to GnuPG or Signify for signing and verifying files.

Always stay in the loop!
Subscribe to our RSS/Atom feed.

Minisign uses Ed25519 for cryptographic signing and verification. Several projects like the popular crypto libraries libsodium or dnscrypt-proxy use Minisign to sign their releases. Libraries and implementations in Golang (go-minisign) and Rust (rsign2) are available.

The current version of Minisign is 0.9, released in June 2020.

Create a key pair

Download and install Minisign on your platform. Then, enter minisign -G to create a key pair. Set a strong password, ideally by using a password manager.

You should see output like the following:

Please enter a password to protect the secret key. Password: Password (one more time):

You should see where Minisign stores the private and public keys. For instance, on Linux, Minisign stores the private, password-protected key as “~/.minisign/minisign.key” and the public key as “~/minisign.pub.”

Warning
If you create a new key pair, you get two files: The file that ends with ".key" is your private signing key. Do not share it. The file that ends with ".pub" is your public verification key. Share this file with everybody who needs to verify your signatures.

The contents of cat minisign.pub look like:

untrusted comment: current minisign public key of InfoSec Handbook RWTobCZNZpK7QlEBFPj+eGxRxUrsF/wW+Rrm/XOL+RXaC1C6ZLplTsVL

The first line is an “untrusted” comment. “Untrusted” means that it isn’t signed and can be changed. The second line is the Base64 encoded public key.

After creating a key pair, the workflow is similar to tools like GnuPG: You publish your public key “minisign.pub” and use your local private key “minisign.key” to sign files.

Sign a file

To sign files, enter: minisign -Sm [file-to-sign]. Minisign creates a second file with the signature, named “[file-to-sign].minisig.” The file also contains a timestamp and file name of the original file.

Furthermore, you can add “trusted” comments. Trusted comments are signed. Enter minisign -Sm [file-to-sign] -t '[a-trusted-comment]'.

The result looks like:

untrusted comment: signature from minisign secret key RWTobCZNZpK7QnVLb7KjgV0QB+MaYemn/rjDMwIJUcnUyYwHqgCq5JQqwDDEbOAuk2f8WqDpQsYF15ZVgISJcC+NLPaD/WDG4wc= trusted comment: a trusted comment by InfoSec Handbook JTbwBH2GAtnYBbGq484em05IF9/PLY97mhsdqWSUbZP8UYOHDn0YZGKdQNImBHcyHwhKkQrW5kgsio1ixLltAw==

Verify a file

Put the file that should be verified and the “.minisig” file in the same folder. You can verify the file’s signature by entering: minisign -Vm [file-to-verify] -p minisign.pub.

The output looks like:

Signature and comment signature verified Trusted comment: …

Tips

  • Rename your “minisign.pub” and “minisign.key” files if you need numerous key pairs.
  • Always use password managers to store credentials, including your password for Minisign.

Conclusion

Minisign is a modern tool that allows you to sign and verify files. Besides, you can verify Minisign’s signatures using OpenBSD’s Signify tool. The public keys and signatures are compatible. In 2021, Debian started to implement a similar approach (AptSign) to get rid of OpenPGP signatures.

We republished this article in July 2021.

Read also